Digital Identity Management: Technological, Business and Social Applications

Digital Identity Management is a collection of essays, articles and short case studies, between them covering an impressive range of the subject claimed by the full title of the book. The group of authors contributing articles includes several well‐known as authorities in the financial, business and government sectors. The articles are structured into three main sections – i.e. Identity Technologies, Identity in Business and Government and Digital Identity in Context – but there is not always a clear distinction as to what these sections are for, and why an article fits into one place rather than another, despite the editor's introduction to the structure.

At the level of identifying the key business issues, some individual articles (I could single out Paul Mackinnon's “Large‐scale identity management”, for example; or the very last article, “Digital identity management implications” by the editor with John Elliott and Andrew Whitcombe) are good, self‐contained briefings in their own right – and might tempt a reader with available time and curiosity into sampling some of the other, more specific parts of the book. In several ways, though, Mackinnon's article typifies a weakness of the book in general: that it includes many versions and illustrations of some rather basic (obvious?) business strategy homilies, such as “IAM (identity and access management) is complex, and no single software company can provide everything you need”. (This is possibly a truism for most major information systems fields.) The same article continues to describe a “suggested services architecture” – but with a graphic of three banana‐shaped elements of authentication, authorisation and administration, around an identity store. This is about as technical as it gets, and not a bad indication of the overall level of detail at which the whole collection is pitched. For a reader who wants just that, this of course is good.

Dipping into “A roadmap for biometrics” (in the Identity Technologies section of the book), I was hoping for more hard information than I found on the comparable false acceptance and false rejection rates between different technologies (fingerprint, face, iris, etc.) for recognising a person by matching against stored data. This despite the fact that the article is by John Elliott (who was involved in practical work such as for the UK Police Information Technology Organisation) and is the only one in the book focusing on biometrics; so I would need to read much further than even the four references it includes to make an informed business decision about which of these technologies I should recommend to those who spend the serious money in my own organisation.

Some of the articles included stray into areas which readers might think are beyond the scope of the book's title: Kevin Warwick, for example, is an authority on implanted technology in humans, having performed several well‐publicised experiments in which he has turned himself into something approaching (his definition of) a “cyborg”. Interesting, but the connection to (at least my definition of) identity management, even in the widest sense, is tenuous at best.

As a practitioner who has worked on a number of projects dealing with identity management in the academic sector, I still learned some useful things from some of the articles collected here. My main disappointment (but perhaps partly for reasons of personal vanity) in the breadth of the book's coverage was that it failed to note progress in this field by universities, colleges and schools in Britain, the USA, Australia and many European countries. Although the concepts of federated identity management were mentioned in several places, and as “on the horizon” (p. 250), practical identity and access management federations had been established by the higher education communities of many countries, using the standard (SAML, or Security Assertion Markup Language) mentioned in the final article by Birch, Elliott and Whitcombe, since well before the publication date. Identity federations in education take advantage of the fact that the business of being a university requires a closer (and therefore potentially more “trusted”) association with employed faculty members and enrolled students, than even the association between an individual and his or her bank. In a subject as fast‐moving as this, there is always a need for updating, and so I hope that, if a second edition is considered, some case studies of universities as corporate identity managers, and national research and education networks as hosts to identity federations can be included.

The book added something to my own learning, because there is always a risk, when one is deeply immersed in a subject in a particular country, business sector or community, of failing to see parallel progress in the same field by another community of practitioners or researchers. Articles in this book certainly helped me to understand the relationships between some of the newer technologies such as biometrics and two‐factor authentication – but left me (still a technologist at heart) feeling somewhat frustrated that they rarely, if ever, dived into the detail of exactly how things worked, and how I could try them out myself in more practical ways.

Not all of the articles are merely descriptive and objective. There is a fair amount of opinion there; and that is not necessarily a bad thing, in a field of information systems that has the rare quality to interest and excite strong feelings and public debate even among lay people. I happen to agree with the misgivings of Gareth Crossman (“The ID Problem”) about the proposed UK government scheme for citizen identity cards and a comprehensive database to support their use. What I found most interesting were this and the other articles and case studies on work in progress on identity management projects of the largest scale, by various national governments, and the organisational and legal challenges they face and have (in some cases) surmounted.

I would recommend Digital Identity Management as a high‐level primer for senior managers who, without necessarily a background in IT, need to acquire an understanding of just how broad this topic is – and therefore that it does indeed have serious implications for almost all enterprises that deal with people and information about them.